Security breach in NIC, critical data at risk

A major security breach of the National Informatics Centre (NIC), which runs all the emails of senior officials and websites of all central government departments, allowed hackers to issue several fraudulent digital certificates, raising global concerns about India's net security practices.

The NIC is one of the select few authorised entities allowed to issue digital certificates and signatures that lie at the core of safe internet transactions. On June 25, hackers managed to breach its security and access all the data on its root directory that hosts its most sensitive data. They issued several fake digital certificates that went undetected for several days.

Digital certificates help authenticate users and allow them safely log into emails, make payments and conduct sensitive transactions. A fake certificate can compromise critical data like passwords, names and personal data of internet users as well as cause huge financial frauds if left undetected.

With NIC failing to detect this breach, the matter would have been buried but for alarms raised by global IT majors like Google, Microsoft and Yahoo. Most of the web traffic passes through their browsers and search engines and an undetected fake certificate could have led to major frauds and loss of sensitive data.

The NIC has since sought to play down the incident. "Our site was attacked from outside India. The auditors have investigated between July 4 and 7 and urgent steps have been taken to mitigate the vulnerabilities," director general NIC Ajay Kumar told Hindustan Times.

But on July 25, Microsoft's Matt Thomlinson, vice president for security services wrote to controller of certifying authorities TA Khan and RS Sharma, secretary in the department of technology, expressing serious concern at the lack of cooperation to address the security breach. The ministry also submitted misleading data to Parliament last week when questions were raised about the incident.

"We have been disappointed with your organisation's reluctance to share with us the investigation report," Thomlinson wrote.

"The current situation presents risk to customers and business around the world … (and) the network based attacker can tamper with audit logs and erase evidence of certificates being issued."

According to Thomlinson, the breach "raises very serious concerns about the trustworthiness" of India's entire security certification process.

"Microsoft supports an open and competitive market for certification authorities (CAs). All CAs included in the Windows trusted root store have to meet a number of requirements. We constantly monitor the threat landscape and respond as needed to help protect our global customers," he told HT.

Microsoft and Google were also upset with the Indian government's investigation. The NIC claimed on July 7 that there were only four fake certificates. But two days later Google found a fifth fake certificate issued by the NIC. An internal investigation also revealed that the hacker had managed to breach into the core root directory of the NIC to access all its data.

In a curious move the government has reinstated NIC's authority to issue certificates but also barred it from doing so for at least six months. Companies like Google and Microsoft have refused to accept NIC's certificates and have declared many government websites certified by them as unsafe. Ironically, many key Indian websites like the income tax authority's website that allow transfer of sensitive data are currently dependent on foreign firms to certify their safety.